Buyer beware: the mobile apps you use aren’t as benign as you think. In fact, some apps and iOS services may be wrought with security vulnerabilities.

That’s what Mike Park, managing consultant at online security company Trustwave told me earlier this week. Park has spent more than a year looking into security weaknesses in mobile point-of-sale (POS) devices.

This came about because he was hired last year to do penetration tests into several clients’ POS systems, looking into how secure they were. His findings were pretty shocking. “We found that [these mobile POS devices] are rather dangerous,” he told me. That’s what led him to look into this problem further, and why he’s presenting his case studies at the AppSecUSA conference tomorrow.

How dangerous are they? In short, when businesses implement a POS system on a mobile device like Shopify or Square, they are likely using a potentially vulnerable payment platform.

Park looked closely into three different mobile POS providers (which, of course, he couldn’t name due to nondisclosure agreements) that use iOS to see what kind of vulnerabilities they contained. He found one that was safe for vendors to use on the whole. The other two, however, didn’t get his seal of approval. One was vulnerable to attacks, but not yet released to the public. The company, however, was aware and claimed it is working on a solution. The third, however, was just plain horrible. “There were so many bad things that were happening,” he said. Primarily, these bad things were improper security measures.

This made Park wonder how widespread these vulnerabilities were: are most iOS POS systems susceptible? Unfortunately, Park thinks that may be the case. He looked into more devices on the market and was “seeing the same problems over and over again.”

A phone or tablet, he says, can be jailbroken, these POS devices can be hacked, and customer information is at a hacker’s fingertips. These problems, for the most part, arise in the development stage. Park found that developers were implementing encryption methods that were downright lazy. “The people who design and make the decisions [for these devices] need to know the impact of what their decisions are going to be.” Essentially this lack of a strong encryption system means that customers risk having their identities stolen.

The big issue is that the encryption is taking place inside the software. Instead, it should be happening in the hardware. There is a brief moment when identifiable information is unencrypted, he explained. If it happens in the software that amount of time is much longer. This makes it easier for a hacker to gain access to this information. Conversely, if the encryption occurs in the hardware, the problem is somewhat mitigated.

So how does a consumer or vendor know which device to use? In all honesty, as things are now, it’s always going to be a gamble. Given Park’s nondisclosure agreement, he is unable to name names, but still thinks people should be aware. The only advice he was able to give me for consumers was that if a mobile POS system is able to manually put in customer information — that is, a user can type in a credit card number rather than swipe — then that system is inherently not safe. Park’s real message, however, is directed at developers.

According to one report, mobile POS terminals increased by 111 percent from 2011 to 2012. But with this rush, developers have to be aware of what they are creating. According to Park, they have to “be prepared to make the hard decisions up front.” This may mean it will take longer to develop a solid, secure payment system.

But, if that’s what it takes to maintain security, then by all means, developers, take your time.

Yet POS systems aren’t the only security problem with mobile devices. Another Trustwave security consultant, Bruno Oliveira, found a separate mobile vulnerability. He was hired to look into file-sharing apps that use bluetooth and found that many of these apps contained no encryption whatsoever while some were bereft of authentication. “They don’t have any security features enabled,” Oliveira told me. He, too, will be presenting at AppSec.

With these apps containing meager security measures, he found he was able to hack into these apps and gain complete access to the files. “I could delete files, I could upload files, and I could leak the files,” he said.

All of this was simply due to app developers not implementing security and encryption measures into the programs.

“The problem,” he said, “is that the software designers don’t care about security. They want to sell applications.”

And, much like Park’s discovery, this wasn’t just one isolated instance or various different flaws. Most of the file-sharing apps shared the same problems that could have been fixed relatively easily in the development stage.

It’s only a matter of time until hackers start to capitalize on mobile devices. We’ve seen numerous hacking instances via phishing campaigns, over the years. Meanwhile, hackers have been known to equip ATMs with “skimming” technologies to physically read debit card numbers.

It seems like mobile POS and other apps are a logical extension of this kind of behavior.

So the next time someone uses an iPad to swipe or card or asks to share a file on your iPhone, you may want to think twice. Or at least be aware of the potential risk.

Facebook has introduced Scrapbook, a new feature that allows parents to share and collect images of their children in one place without requiring them to worry about tagging their kids’ face with each other’s names just to make sure they don’t miss what the other person has posted. [Source: Facebook]

“For all the clumsy rhetorical lip service [former Yahoo News head] Guy Vidra pays to The New Republic’s hallowed intellectual traditions, this is what his vision of a nimble digital news product finally translates into: a vaguely journalistic veneer strategically designed to conceal a rancid interior of ‘elevated’ advertising.”

Indian e-commerce company Flipkart is said to be raising $600 million in its latest bid to compete with Amazon. The company is also said to have garnered a higher valuation with this funding round — quite the feat, considering it was previously valued at around $11.5 billion. [Source: The Economic Times]

Here comes another unicorn: Sprinklr, a New York-based marketing company, has raised $46 million at a $1.17 billion valuation. The funds will be used to help the 700-person company expand its marketing platform. [Source: Fortune]

Curator, the tool Twitter created so the media could find and share tweets with its audience, is now available to the public. Because if there’s anything people wanted to see more of, it’s tweets randomly inserted into blog posts, television spots, and other forms of media. [Source: TechCrunch]

A court in France has decided not to ban Uber’s low-cost services until the country’s highest appeals court, or its supreme court, weigh in on the constitutionality of a new transport law. [Source: The Wall Street Journal]

Tinder is refocusing on its spam-fighting efforts in the wake of reports that movie studios are using the service to promote their movies, scammers are attempting to steal information via the app, and pranksters have created tools that trick heterosexual men into flirting with each other. [Source: The Verge]

Uber offers drivers whose accounts have been deactivated a choice: attend a class that requires them to pass an exam, or take a class that doesn’t. The latter has been informed by Uber employees, and the company has sent thousands of drivers to it, according to a report from BuzzFeed. Why is that a problem? Because Uber isn’t supposed to provide its drivers with formal training; doing so makes them bona fide employees, not independent contractors. [Source: BuzzFeed]

Flipboard users will now be able to collect articles and share them via private magazines visible only to members of certain groups. The feature is aimed at students working in the same class, companies sharing press coverage, and other groups that might want an easy way to share Web pages with each other without having to use public tools like Facebook or Twitter. [Source: Flipboard]

T-Mobile has tasked its customers with creating a real-world coverage map that makes it easier to tell where its service works and where it doesn’t. Instead of guessing at where its customers will get service — which is what other carriers do, the company claims — it’s asking people to verify its predictions so it can be more honest with consumers. [Source: T-Mobile]